CVE-2022-22975

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-22975

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22975.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-22975

Aliases

BIT-pinniped-2022-22975

Related

GHSA-hvrf-5hhv-4348

Published

2022-05-11T16:15:08.877Z

Modified

2026-01-30T01:43:05.818183Z

Severity

6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in the Pinniped Supervisor with either LADPIdentityProvider or ActiveDirectoryIdentityProvider resources. An attack would involve the malicious user changing the common name (CN) of their user entry on the LDAP or AD server to include special characters, which could be used to perform LDAP query injection on the Supervisor's LDAP query which determines their Kubernetes group membership.

References

https://github.com/vmware-tanzu/pinniped/security/advisories/GHSA-hvrf-5hhv-4348

Affected packages

Git / github.com/vmware-tanzu/pinniped

Affected ranges

Type: GIT
Repo: https://github.com/vmware-tanzu/pinniped
Events: Introduced

46825b1c9fac7eb6762224d64035851ee068aab0

Fixed

b458cd43b96813c848d42ad196dfc8b576c0488a

Affected versions

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.13.0

v0.14.0

v0.15.0

v0.16.0

v0.9.0

v0.9.1

v0.9.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-22975.json"